Enterprise Security Spending: Bucking the Trends

By Guy Currier |
Posted 02-23-2012

Enterprise Security Spending: Bucking the Trends

The more things change, the more they stay the same. While much of IT is engulfed in sweeping transformation brought on by four technology trends -- virtualization, mobility, cloud computing and consumerization -- it turns out that organizational approaches to risk are reverting to old form.

We can see this in the results of our CIO Insight 2012 Enterprise Security Trends study, conducted from late December 2011 to early January 2012. To conduct the study, we emailed a survey to a random sample of IT security executives culled from the audience lists of our corporate parent Ziff Davis Enterprise's magazines, newsletters and events; 341 respondents who work in organizations with 50 or more employees responded. Of these, 188 (55%), work in companies with 1,000 or more employees, giving our data good representation of both midrange and large enterprises. (Download a PDF version of the study results with accompanying charts here.)

The survey examined IT security spending that is formally budgeted, as well as that which falls within other budget areas. In early 2011, we fielded the same survey using a sample from the same source, so now we can see how security investment patterns have changed, or not changed, in the past year. And surprisingly, the survey results show a significant return to tradition in terms of which areas of IT are getting the most security attention, and which are receiving the least.

For example, the networking equipment budget was the only area to grow considerably from 2010 to 2011 in share of organizations seeing higher security-related spending, from 45 percent of respondents to 58 percent. Conversely, the number of organizations spending on security within compliance plummeted. However, most traditional budget areas -- such as databases, servers, storage and enterprise software -- remained stable in terms of the frequency of security-related investments.

Meanwhile, the most dynamic areas of IT are tending to see less security-related spending within their budgets, rather than more. For example, fewer organizations than last year are spending on security in their cloud computing, mobile device, and application development budgets (see Finding 1.1). In this year's survey, application development spending was reported, on average, to be only 5 percent higher to address security issues, compared to 12 percent higher last year (see Finding 1.2). That's the only extreme example, as most budget areas have remained quite stable in this regard. But the fact remains that security-related spending isn't particularly accompanying spending among the new IT fundamentals.

IT Security Spending: New Building Blocks

Perhaps we should not be surprised. It does seem as though the basic building blocks of an IT strategy are becoming quite different-a transformation we've been reporting on for some time. But forward-looking as it is, this kind of reporting can sometimes overstate the degree to which transformation is actually occurring now. One of the advantages of conducting research is that it can put trends in perspective. Those four new elementals may be the real future of IT, but that doesn't mean they've taken over the present yet. And IT security must always focus strongly on current realities on the ground.

That said, we're not entirely happy about what looks, in general, like a cautious approach to IT security. The first reaction of risk managers to new technological developments tends to be adjustments to policies and procedures, especially to prevent or modify user behavior. Though this is an effective way to reduce risk levels (or at least caution the business about the risks involved) while buying time to formulate an effective security response, all too frequently it seems that the work stalls there. In the case of cloud computing and consumerization, particularly, the potential for improved productivity and growth is big and immediate enough that it behooves organizations to push on and adopt security solutions that enable taking full advantage of them.

In last year's report, we concentrated most on the amount of security spending that was "hidden" outside of any dedicated, centralized IT security budget. This point bears repeating again this year, particularly given the fact that many fewer of our survey respondents say their organizations have such dedicated IT security budgets: only 42 percent, compared with 50 percent in 2011.

Centralization and decentralization come and go in waves, and looking at these results, we may very well be seeing some decentralization arising from today's pretty intense business-side pressure to deploy and manage IT to achieve business goals. For example, the survey reveals a reduction of IT consulting spending as part of the corporate security budget, where it exists; with so much activity at a departmental level, IT becomes more reactive and management-focused, and less proactive in planning. This is true throughout IT these days, of course -- it's not particular to IT security.

Corporate security managers surveyed do remain, on the whole, hopeful about the prospects for the corporate security budget this year. Half of those we surveyed expect at least 10 percent growth in 2012 over 2011. But it must be said that last year's survey results were similar. In fact, when you look at the share of specific budget growth expectations, security managers polled are actually less optimistic this year. Just over one quarter of respondents expect their centralized security budget to increase by 25 percent or more. Last year, 25 percent of respondents expected their centralized security budget to increase by at least 50 percent.

We're in an era in which business departments and their employees are finding and deploying applications, platforms and services on their own. One viable security strategy to deal with this is to push risk-remediation out to these same lines of business. We expect this trend to be short-term, representing only the decentralization part of the cycle. Recentralization will take place as the new IT elementals develop and mature, and central IT infrastructure efficiencies are found again.

In strange times, you should continue to rely on your common sense and gut instinct as you learn and experience more about the changes around you. Perhaps this is an overly dramatic way to characterize the IT transformation we're currently experiencing. But you can say at least that when it comes to IT security, you should continue to rely on the common-sense risk-investment equation that shows you how much, and where, to invest:

Annualized loss expectancy ($ALE) = chance of an event each year - estimated loss due to the event;

$ALE without remediation measure - $ALE with = $savings per year (realized or not);

Any security investment lower than the $savings represents net lower costs for the organization and is profitable spending.

When you think about it, it's only the calculation of $ALEs that has changed because of virtualization, mobility, cloud computing and consumerization. Each of these elementals brings multiple new threat vectors with it. Identifying those vectors is the easy part (to the extent that we all know we can never find them all-we must just keep looking on an ongoing basis). The hard part is estimating the likelihood of an event from that vector. That is always the chief bone of contention between technology proponents and risk managers. There's nothing new there.

This simple kind of corporate and IT discussion of risk is not occurring in most organizations, and hasn't been for some time. And though, as we mentioned at the start, we probably should not be surprised that security strategies have not changed very rapidly in response to these strong trends sweeping through IT, we can also say that this is one unfortunate result of a general lack of ALE-based planning.

From this perspective, our survey results highlight not just real opportunities for the security strategy to contribute to the bottom line; they point to a method as well. As we have all experienced, the four elementals are unlikely to wait for us. You would do well to buck the security spending trend, using good old-fashioned risk assessment to find ways to put today's most revolutionary technology tools firmly in the hands of the most creative executives and employees in your organization.